active directory at the university of michigan data population and kerberos interoperability...
TRANSCRIPT
Active Directory at the University of Michigan
Data Population and Kerberos Interoperability
MaryBeth Stuenkel [email protected]/NOS/Groupware Services www.umich.edu/~lannos/win2000
Existing Infrastructure
• Uniqname – every faculty, staff, student assigned a unique 3-8 character identifier
• OpenLDAP enterprise directory• MIT Kerberos user identity
– based on uniqname
– used for directory maintenance, email, IFS filespace
• DNS Structure based upon University Organizational Chart (governed by policy)
W2K Implementation Goals
• Provide an infrastructure that allows for distributed administration within a single forest infrastructure
• Enable transparent user access to resources throughout campus
• Automatically populate AD with data from enterprise directory
• Provide single signon via Kerberos• Integrate with existing BIND DNS infrastructure
Forest Rootadsroot.itcs.umich.edu
Campus Treeads.itcs.umich.edu
Engin Treead.engin.umich.edu
Other Treexx.yy.umich.edu
Departmental OUs
Structure of U-M Active Directory Forest
OU=UMich
OU=People
OU=Organizations
Populating Active Directory
• OpenLDAP directory entries update AD– Initial feed/bulk load
– Automatic updates of changes and new entries
– Out-of-band updates
• Schema mapping• Mapping of W2K user principle to MIT realm• Updates are one-way only, changes made in AD
are never passed back to OpenLDAP
cn lDAPDisplayName RequireisSingle Valued
Mapped from:
dn yes N/A uid + path (cn=bjensen,ou=people,ou=umich,dc=…)
Common-Name cn yes TRUE uid
User-Principal-Name userPrincipalName yes TRUE [email protected] ([email protected])
SAM-Account-Name sAMAccountName yes TRUE uid (bjensen)
Alt-Security-Identities altSecurityIdentities FALSE Kerberos: [email protected] (Kerberos:[email protected])
Display-Name displayName TRUE cn (Babs Jensen)
Description Description FALSE use AD displayName, derived from cn
Surname sn TRUE sn
Title title TRUE 1st value of title
E-mail-Addresses mail TRUE 1st value of mail
Other-Mailbox otherMailbox FALSE all mail values after first
Telephone-Number telephoneNumber TRUE 1st value of telephonenumber
Phone-Office-Other otherTelephone FALSE 2nd to Nth values of telephonenumber
Phone-Home-Primary homePhone TRUE 1st value of homephone
Phone-Home-Other otherHomePhone FALSE 2nd to Nth values of homephone
Phone-Mobile-Primary mobile TRUE 1st value of mobile
Phone-Mobile-Other otherMobile FALSE 2nd to Nth values of mobile
Phone-Pager-Primary pager TRUE 1st value of pager
Phone-Pager-Other otherPager FALSE 2nd to Nth values of pager
Facsimile-Telephone-Number facsimileTelephoneNumber TRUE 1st value of facsimiletelephonenumber
Phone-Fax-Other otherFacsimileTelephoneNumber FALSE 2nd to Nth values of facsimiletelephonenumber
WWW-Home-Page wWWHomePage TRUE 1st value of labeledurl
WWW-Page-Other url FALSE 2nd to Nth values of labeledurl
umichad-OU umichadOU FALSE ou
umichad-Role umichadRole FALSE An index "role" attribute; taken from last part of ou values
umichad-No-Batch-Updates umichadNoBatchUpdates TRUE nobatchupdates
umichad-Dir-Sync umichadUMDirToADSyncFlag FALSE 2 = user added, 4 = user changed, 8 = delete user, 16 = modrdn
umichad-No-Batch-Updates umichadNoUMDirUpdates TRUE set in Windows 2000
Active Directory Attribute Mapping from U-M Directory
Populating Active Directory
Still left to do:– Making use of umichadUMDirToADSyncFlag to
log/track user add/change/delete operations from OpenLDAP
– Implementing out-of-band updates to OpenLDAP• Changes in formats of data feeds
• Changes to schema of OpenLDAP
– Testing and move to production
Kerberos Interoperability
• Process– User presents Kerberos username and password and receives MIT
initial ticket granting ticket (TGT)– User receives MIT service TGT from MIT KDC– User receives ADS service TGT from MIT KDC– User uses ADS TGT to request LDAP service ticket from AD
KDC
• Details– Kerberos v5, release 1.2.1– Kerberos passwords NOT synced with AD passwords, AD
password not known by user– One-way trust only, AD trusts MIT
Kerberos Interoperability
Existing challenges– Applying group policy to users in People OU via
loopback processing on computers not working for MIT KDC-authenticated users
– Preventing namespace collisions with current and future uniqnames through user objects created by departmental OU admins
– What about non-Kerberos supported clients?
Summary
• Existing infrastructure– Both a challenge and an enabler– Has provided a rich environment for collaboration
• Automatic data population– Coding for initial feed and automatic updates complete– Logging changes to AD, coding for out-of-bound updates and
more testing to do
• Kerberos interoperability– Authentication via MIT KDC working– Biggest current issue – loopback processing on group policies
applied to computer objects
Credits
• Andrew Wilson• Dave Detlefs
• Paul Turgyen• Other UMCE staff
• Technical Lead• Windows Developer
Web site Developer• LDAP Developer• Kerberos Integration
DNS IntegrationDirectory Integration
[email protected]/~lannos/win2000